Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan.Metajuan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trojan.Metajuan

Unread postby mikelowery » August 21st, 2009, 1:18 pm

O16 - DPF: PowerBuilder DW Control & JDBC - http://us-tx-exp-02:8080/exponline/PSDWC70.CAB
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network -----------------------------------------------------------
Deleted but No. 23 still shows up.

Delete the Service
Open HiJackThis. Click on Config, Misc Tools, Delete an NT Service
Type
McAfeeFramework <==note there are no spaces. That's not a mistake.
in the box provided and click OK
The program will ask you to REBOOT --- Accept.

Did this and it keeps saying it is running and can not delete. I deleted C:\Program Files\Network Associates\
last night.


Let me know how the machine is running ====> Worse. If I use a search engine, it will be blank. I can not read my email. Some websites come on incomplete. Everytime I open I.E. another site opens. Any sports website I go to, I can not view the video on the main page.
mikelowery
Active Member
 
Posts: 11
Joined: August 13th, 2009, 8:25 pm
Advertisement
Register to Remove

Re: Trojan.Metajuan

Unread postby askey127 » August 21st, 2009, 1:41 pm

mike,
Open Notepad, paste the following code box contents into the text.
Code: Select all
sc stop McAfeeFramework
sc config McAfeeFramework start= disabled
sc delete McAfeeFramework
Use Notepad's File, Save As to save it to your desktop as File type All Files (not as text file or it won't work), and file name FixSvc.bat
Exit Notepad and double click on FixSvc.bat
A Command window will flash on and off.

REBOOT your machine. Sign in to your usual account.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!!
If you don't know how to disable your antivirus, stop and ask
  • Download ComboFix from here and save it to your desktop.

    If you have to, download it to a flash drive using another machine, and copy it from the flash to your desktop.

  • Disable NORTON antivirus before proceeding!
  • Now start ComboFix
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy is located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan.Metajuan

Unread postby mikelowery » August 21st, 2009, 2:20 pm

It won't run. On the task manager, it shows it on processes, but nothing happens when I run it.
mikelowery
Active Member
 
Posts: 11
Joined: August 13th, 2009, 8:25 pm

Re: Trojan.Metajuan

Unread postby askey127 » August 21st, 2009, 3:35 pm

If you right click it on your desktop and choose properties it should be about 3.03 Mb in size.
Does renaming it to lowery.exe allow you to run it?

Meanwhile try this please.
-----------------------------------------------------------
Download Blacklight from here:
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/index.html
or
Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Please save it to your desktop.

Go to Start-->Run, copy in the following text, and press Enter:
"%userprofile%\desktop\fsbl.exe" /expert

Accept the license agreement.
Click > scan, wait for it to finish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan.Metajuan

Unread postby mikelowery » August 21st, 2009, 4:20 pm

That worked, here you go:

ComboFix 09-08-20.07 - user 08/21/2009 14:52.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1569 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\lowery.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1220f.msi
c:\windows\Installer\1830252.msp
c:\windows\Installer\368fc.msp
c:\windows\Installer\379b4.msp
c:\windows\Installer\99cb64.msp
c:\windows\system32\drivers\UACvylespvuyp.sys
c:\windows\system32\UACaahktlewdl.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjmdddcixgo.db
c:\windows\system32\UACndiewnqkbe.dll
c:\windows\system32\UACrdsnaqlqpe.dll
c:\windows\system32\UACxnspypuxnq.dll
c:\windows\system32\UACyupelanpiv.dat
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 15:49 . 2009-08-21 15:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-21 13:17 . 2009-08-21 13:17 -------- d-----w- c:\program files\Trend Micro
2009-08-18 18:41 . 2009-08-18 18:41 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-08-18 13:28 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 13:28 . 2009-08-21 14:37 -------- d-----w- c:\program files\Period
2009-08-18 13:28 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-17 19:41 . 2009-08-17 20:07 -------- d-----w- c:\program files\VS Revo Group
2009-08-13 23:59 . 2009-08-13 23:59 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-13 23:59 . 2009-08-13 23:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Hitman Pro
2009-08-13 23:16 . 2009-08-13 23:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-13 16:40 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-08-13 16:40 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-08-13 16:40 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-13 16:40 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-13 12:32 . 2009-08-13 12:32 -------- d-----r- c:\program files\Norton Support
2009-08-12 19:40 . 2009-08-12 19:40 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Symantec
2009-08-12 19:30 . 2009-08-12 19:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-12 14:23 . 2009-08-12 19:23 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SecTaskMan
2009-08-12 13:15 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 15:49 . 2007-05-30 14:34 -------- d-----w- c:\program files\Java
2009-08-21 15:48 . 2007-02-04 01:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 12:40 . 2009-04-02 13:35 -------- d-----w- c:\program files\Symantec
2009-08-19 12:40 . 2009-04-02 13:35 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 12:40 . 2009-04-02 13:35 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-19 12:40 . 2009-04-02 13:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-19 12:40 . 2009-04-02 13:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 19:11 . 2009-04-02 13:36 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-13 17:37 . 2008-05-23 13:35 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-13 15:44 . 2009-04-02 13:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-13 15:44 . 2009-04-02 13:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 12:35 . 2009-02-12 13:15 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 04:45 . 2009-05-31 13:56 -------- d-----w- c:\program files\MediaCoder
2009-07-10 13:07 . 2009-07-10 13:07 -------- d-----w- c:\program files\Verizon Wireless
2009-07-10 13:04 . 2009-07-10 13:04 -------- d-----w- c:\program files\Novatel Wireless
2009-07-03 17:09 . 2004-08-11 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-11 23:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 23:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 23:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 23:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-11 23:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 23:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-08-11 23:11 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-11 23:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-11 23:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-11 23:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-01-30 512000]
"TDxVGAUTIL"="c:\windows\system32\TDxVGAUTIL.EXE" [2005-12-19 65536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-08 65536]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-26 26112]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-21 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\user\Start Menu\Programs\Startup\
FAXRX.lnk - c:\program files\Brother\Brmfl06d\FAXRX.exe [2009-3-3 512000]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-26 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Brother\\Brmfl06d\\FAXRX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25:TCP"= 25:TCP:SMTPMail
"110:TCP"= 110:TCP:POP3
"54925:UDP"= 54925:UDP:Brother Fax/Scan/Copy

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00A\SymEFA.sys [8/19/2009 7:39 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00A\BHDrvx86.sys [8/19/2009 7:39 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00A\cchpx86.sys [8/19/2009 7:39 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/12/2009 2:42 PM 276344]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [1/31/2007 12:03 PM 58464]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe [8/19/2009 7:39 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/2/2009 8:54 AM 101936]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 11:08 AM 174336]
R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [3/15/2007 2:41 PM 233984]
R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [3/15/2007 2:41 PM 234496]
S2 qttuwjmt;qttuwjmt;c:\windows\system32\drivers\dkqhdyc.sys --> c:\windows\system32\drivers\dkqhdyc.sys [?]
S2 tbisu;tbisu;c:\windows\system32\drivers\jmkl.sys --> c:\windows\system32\drivers\jmkl.sys [?]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [3/15/2007 2:41 PM 27135]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/15/2008 10:25 AM 31592]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [8/13/2009 6:59 PM 11904]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 12:23 PM 20480]
S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.sys [3/15/2007 2:41 PM 22528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC8B4D35-FC70-4A52-9655-E8784FDEEB87}]
msiexec /fu {FC8B4D35-FC70-4A52-9655-E8784FDEEB87}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-ShStatEXE - c:\program files\Network Associates\VirusScan\SHSTAT.EXE
HKLM-Run-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
HKLM-Run-CmUsbSound - cmcnfgu.cpl
HKLM-Run-UDC Integration - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 15:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Norton Internet Security\Engine\16.7.2.10\MCUI32.exe
.
**************************************************************************
.
Completion time: 2009-08-21 15:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 20:18

Pre-Run: 151,398,948,864 bytes free
Post-Run: 153,153,249,280 bytes free

239 --- E O F --- 2009-08-17 13:46
mikelowery
Active Member
 
Posts: 11
Joined: August 13th, 2009, 8:25 pm

Re: Trojan.Metajuan

Unread postby askey127 » August 22nd, 2009, 8:38 am

mike,
Now we are getting somewhere.

With this infection and its variants (W32/Tidserv), you cannot be sure whether there has been some attempt to steal information stored or typed into your machine.
You should assume any kind of financial information related to this machine has been stolen.
You should take any necessary measures and change all relevant card account numbers and change all passwords/PINs.
--------------------------------------------------
Run Flash Disinfector
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task > Run... Type in explorer.exe and press Enter. Your desktop should now appear.
Wait until it has finished scanning and then exit the program.

You can run Flash Disinfector with other flash drives and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
Infected Flash drives and other USB devices are transmission mediums for this infection.
-----------------------------------------------------------
TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Note: Save your work. TFC will automatically close any open programs. Let it run uninterrupted.
  • Double-click TFC.exe to run the program.
  • The scan shouldn't take longer take a couple of minutes, and may only take a few seconds.
  • TFC will most likely require a Reboot. If prompted, click "Yes" to reboot.
-----------------------------------------------------
Run an Online Kaspersky WebScan
(This will only run if you successfully installed the latest Java Runtime we instructed earlier).
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Let me know if your machine is beginning to behave properly.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan.Metajuan

Unread postby askey127 » August 26th, 2009, 7:27 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware